Bug 1057729 - (CVE-2017-14173) VUL-0: CVE-2017-14173: ImageMagick: Function ReadTXTImage is vulnerable to a integer overflow that could lead to denial of service
(CVE-2017-14173)
VUL-0: CVE-2017-14173: ImageMagick: Function ReadTXTImage is vulnerable to a...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/191539/
CVSSv2:SUSE:CVE-2017-14173:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-08 06:52 UTC by Victor Pereira
Modified: 2017-12-22 23:40 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-08 06:52:46 UTC
CVE-2017-14173

In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an
integer overflow might occur for the addition operation
"GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than
expected. As a result, an infinite loop would occur for a crafted TXT file that
claims a very large "max_value" value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14173
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14173.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14173
https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d
https://github.com/ImageMagick/ImageMagick/issues/713
Comment 1 Marcus Meissner 2017-09-29 09:30:14 UTC
2^64 length CPU DOS loop. It will end, but it will take too long.
Comment 2 Petr Gajdos 2017-11-01 09:01:37 UTC
BEFORE

ImageMagick
-----------

12

$ convert x_txt_poc.txt /dev/null
'takes long'

11

$  convert x_txt_poc.txt /dev/null
convert: no decode delegate for this image format `x_txt_poc.txt'.
convert: missing an image filename `/dev/null'.
$

(exits immediatelly)

GraphicsMagick
--------------

11

$ gm convert x_txt_poc.txt /dev/null
$

(exits immediatelly)

42.2, 42.3

$ gm convert x_txt_poc.txt /dev/null
gm convert: Image type not supported (x_txt_poc.txt).
$

(exits immediatelly)


PATCH

https://github.com/ImageMagick/ImageMagick/commit/d06bf16cc05a8b859387be2ea16f2056ded34afa
https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d

GraphicsMagick: code is not there
11/ImageMagick: code is there

AFTER

ImageMagick
-----------

12

$ convert x_txt_poc.txt /dev/null
057729: improper image header `x_txt_poc.txt' @ error/txt.c/ReadTXTImage/436.
057729: no images defined `/dev/null' @ error/convert.c/ConvertImageCommand/3149.
$

(fixed)

11

$ convert x_txt_poc.txt /dev/null
convert: no decode delegate for this image format `x_txt_poc.txt'.
convert: missing an image filename `/dev/null'.
$

(no change)

Summary: considering affected 11/ImageMagick and 12/ImageMagick
Comment 3 Petr Gajdos 2017-11-03 09:13:50 UTC
I believe all fixed.
Comment 5 Swamp Workflow Management 2017-12-20 17:11:45 UTC
SUSE-SU-2017:3378-1: An update that fixes 26 vulnerabilities is now available.

Category: security (important)
Bug References: 1048457,1049796,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052758,1052764,1054757,1055214,1056432,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060577,1066003,1067181,1067184
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14733,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-7.78.14.1
Comment 6 Swamp Workflow Management 2017-12-20 17:38:57 UTC
SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ImageMagick-6.8.8.1-71.17.1
Comment 7 Andreas Stieger 2017-12-22 15:55:15 UTC
done
Comment 8 Swamp Workflow Management 2017-12-22 20:14:41 UTC
openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409
CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-40.1
openSUSE Leap 42.2 (src):    ImageMagick-6.8.8.1-30.12.1